70-294: mcse guide to microsoft windows server 2003 active directory, enhanced chapter 11: group...

70-294: MCSE Guide to Microsoft Windows Server 2003 Active

Directory, Enhanced

Chapter 11: Group Policy for Corporate

Policy

Guide to MCSE 70-294, Enhanced 2

Objectives

• Understand and describe the purpose of Group Policy

• Describe how Group Policy is applied• Manage desktop computers using Group Policy• Analyze and configure security settings using

Group Policy


Objectives (continued)

• Install and use the Group Policy Management Console

• Troubleshoot Group Policy


Group Policy

• Introduced in Windows 2000 • Enhanced in:

• Windows XP

• Windows Server 2003

• Largely collection of registry entries• Enhancements in Windows Server 2003:

• Transient policy settings

• Expanded capabilities


Administrative Templates• Files with .adm extension• Describe registry settings

• Can be configured in policy or Group Policy

• Included with Windows Server 2003:• System.adm

• Inetres.adm

• Wmplayer.adm

• Conf.adm

• Wuau.adm


Client-side Extensions

• Allow for more advanced control and configuration

• Included with Windows Server 2003 and Windows XP:• EFS (encrypting file system) recovery

• Folder redirection

• Internet Explorer maintenance

• IP security


Client-side Extensions (continued)

• Included with Windows Server 2003 and Windows XP:• Microsoft Disk Quota

• QoS Packet Scheduler

• Scripts

• Security

• Software installation

• Wireless


Group Policy Storage

• Stored on • Domain controllers

• Local computers

• Local policy object • Stored in hidden folder

• Referred to as local computer policy

• Applies only to local computer

• Great for workgroup environment


Group Policy Storage (continued)

• GPOs • Stored on domain controllers

• Centrally managed

• Single GPO typically affects many users and computers

• One part stored in Active Directory database • Called group policy container (GPC)

• Other stored in SYSVOL share• Referred to as group policy template (GPT)


Group Policy Storage (continued)

• GPT subfolders:• Adm

• USER

• USER\applications

• MACHINE

• MACHINE\applications


Creating a Group Policy Object

• Tools for creating GPOs:• Group Policy standalone Microsoft Management

Console (MMC) snap-in

• Group Policy extension in Active Directory Users and Computers


Activity 11-1: Creating a Group Policy Object Using the

MMC

• Objective: Use the Group Policy Object Editor MMC snap-in to create GPOs

• Follow directions to create GPOs


Group Policy Processing

• GPOs linked to sites, domains, and organizational units using GPO links• Applies to user and computer objects that exist in

container to which they are linked

• Can be linked with multiple organizational units, sites, or even domains

• Only stored on domain controllers in domain where created


Group Policy Priority

• Processing order:• First policy to be applied is the local computer policy

• Any GPOs linked to site are applied

• GPOs linked to domain are applied

• GPOs linked to organizational units are applied


Group Policy Priority (continued)

• Process is followed twice• Once for Computer Configuration

• When computer starts up

• Once for User Configuration • When user logs on


Default GPO Processing Order


Dealing with Conflict

• Options for policy settings• Enabled

• Disabled

• Not Configured

• Policy settings from multiple GPOs can be combined• As long as they do not conflict

• In case of conflict:• GPO to be applied last wins


Modifying Group Policy Priority

• Modify priority by configuring settings:• No Override

• Block Policy Inheritance

• Loopback Processing Mode


Controlling Group Policy Application with Permissions

• GPOs cannot be linked to groups• Application of Group Policy can be controlled

through permissions


Controlling Group Policy Application with Permissions

(continued)

• Standard permissions available to GPO:• Full Control

• Read

• Write

• Create All Child Objects

• Delete All Child Objects

• Apply Group Policy


Activity 11-5: Filtering Group Policy Objects Using Security

Permissions

• Objective: Use security permissions to filter and control the application of policy settings

• Follow instructions to stop settings in Marketing Policy GPO from applying to Administrators group


Windows Management Instrumentation Filters

• Used to restrict application of GPOs• Control GPO application based on computer

configuration, such as:• Hardware configuration

• File existence or attributes

• Applications being installed

• Amount of free hard drive space

• Written in WMI Query Language (WQL)• Does not apply to Windows 2000


Slow Link Detection

• When working over slow link• May be undesirable to apply parts of Group Policy

• Client pings domain controller several times• To determine link speed

• 500 Kbps or less is considered slow


Default Slow Link Behavior


Desktop Management with Group Policy

• Desktop management • One of primary goals that can be accomplished with

Group Policy


Restricting Windows

• Can protect users from their own mistakes• Remove access to features such as:

• Configuring proxy settings

• Setting desktop wallpaper


Folder Redirection

• Allows administrator change location of default Windows folders

• Locate on server:• Allows users to access information from any computer

on network


Folder Redirection (continued)

• Folders that can be redirected are:• Application data

• Desktop

• My Documents

• Start menu


Scripts• GPOs can contain scripts for:

• Logon

• Logoff

• Startup

• Shutdown

• Can be written in languages such as • VBScript (.vbs)

• JScript (.js)

• Must store scripts in location accessible to users running them


Security Management with Group Policy

• Security policy• Collection of security-related settings

• Located in all GPOs

• Majority of security policy settings apply to computers

• Found in Computer Configuration section


Account Policies

• Includes configuration settings that may be the initial step to securing computer network

• Must be configured in GPO linked to domain• Subcategories:

• Password Policy

• Account Lockout Policy

• Kerberos Policy


Local Policies

• Wide variety of settings • Very flexible• Categories:

• Audit policy

• User rights assignment

• Security options


Restricted Groups

• Define users that are allowed membership to specific groups

• When group policy applied:• Any member of restricted group not listed in restricted

group’s member list removed

• Prevents administrators from accidentally adding users to sensitive groups


System Services

• Define which services are started, stopped, or disabled on computers

• Can also configure security for services• Effective way to disable unnecessary services on:

• Client computers

• Servers


Registry Settings

• Define security permissions for registry entries• Applied to all computers affected by GPO


File System

• Defines NTFS permissions applied to local hard drives of computers affected by GPO

• Enhance security by removing permissions to files and folders


Wireless Network Policies

• Define settings for wireless network connectivity• Configure which wireless networks’ workstations

can connect to and automatically configure Wireless Encryption Protocol (WEP)


Public Key Policies

• Define configuration settings relating to use of different public key-based applications such as:• Encrypting file system (EFS)

• Automatic certificate enrolment settings

• Certificate Authority (CA) trusts

• Autoenrollment • New feature

• Allows computers and users to request version 2 certificate templates automatically


Software Restriction Policies

• Define security settings related to what programs are allowed to run on system

• Individual rules can be based on:• File’s hash

• Digital certificate used to sign executable

• File’s path

• Internet zone


IP Security Policies

• Define IPSec settings• Can enable IPSec for entire network with little

effort


Security Templates• Used to:

• Define, edit, and save baseline security settings

• Applied to computers with common security requirements

• Meet organizational security standards

• Help ensure • Consistent setting can be applied to multiple machines

• Easily maintained

• Stored in .inf files


Security Templates (continued)• Setup Security.inf.

• Default template

• Provides single file in which all original computer security settings are stored

• Incremental templates• Only apply to machines already running default

security settings

• Use Security Templates snap-in to create custom templates


Analyzing Security

• Security Configuration and Analysis utility• Compare current system settings to previously

configured security template• Identifies

• Changes to original security configurations

• Possible security weaknesses


Using the Group Policy Management Console

• Available as free download for Windows Server 2003 customers

• Brings together tools and options accessible from number of different tools

• Adds new functionality• Highly recommended

• Especially in large deployments


Troubleshooting Group Policy

• Most important thing is interaction of:• Links to containers

• Priority ordering by administrators

• No Override

• Block Inheritance

• ACL permissions

• Loopback Processing Mode

• WMI filters


Troubleshooting Tools

• Resultant Set of Policy (RSoP)• Gpresult• Gpupdate• Dcgpofix


Summary• Group Policy applies settings to users and

computers in:• Site

• Domain

• Organizational unit

• Order of application for GPOs is:• Local

• Site

• Domain

• Organizational unit


Summary (continued)

• User or computer must have Read and Apply Group Policy permissions on a GPO in order for the policy to apply

• To affect domain accounts, account policies must be set at the domain level

• Security management using Group Policy is accomplished with security templates